Thousands of exposed artifacts in cloud software repositories and registries with more than 250 million artifacts and over 65,000 container images have been found by cloud security company Aqua Security.
Aqua found that even huge firms unintentionally exposed secrets, used default passwords, and gave users unnecessarily high privileges as part of research to detect software supply chain gaps that could allow threat actors to abuse registries.
According to Aqua, Some of these situations involved anonymous user access, which might have given a potential attacker access to private data, including secrets, keys, and passwords, and exposed the software development life cycle (SDLC) to major supply chain attacks.
The investigation concentrated on package management systems used in cloud software development, such as registries, repositories), and artifact management systems (tools for managing binary files).
Aqua’s study led to the discovery of several Quay registries, container image registries, internet-accessible Sonatype-Nexus registries, and JFrog art factories. With read and/or write privileges, several of the discovered registries might be accessed anonymously.
Aqua found 156 servers with private, sensitive endpoint addresses and 1,400 different internet-exposed registries with at least one sensitive key. More than 2,100 artifact registries were set up with upload permissions, and 57 of the discovered registries had severe flaws like a default admin password.
According to Aqua, the erroneous registers belonged to small, medium, and large firms from all around the world, including ten Fortune 500 corporations. In actuality, only the registrations of five Fortune 500 businesses had very sensitive data.
Furthermore, according to Aqua, two of the biggest cybersecurity firms had secrets revealed in their registries. And a large number of smaller companies had flaws that were similar to these and put them in danger.
A multinational tech company that was one of the afflicted businesses had two container image registries that were incorrectly configured, one of which gave attackers access to artifacts like an active API key for downloading internal binaries.
Aqua points out that the registry included 2,600 repositories with more than 240 million artifacts and that the API key could be used to contaminate libraries, images, and releases. After being made aware of the exposure, the impacted organization immediately took care of the problem. “We later learned that this was a case of Shadow IT, where a developer with a side project opened an environment against policy and regulations without proper controls,” Aqua claims.
The cybersecurity company claims another internet giant has a purposefully open public artifact registry that disclosed a token (presumably intended for the public). Following the company’s notification of the exposure, stricter controls were put in place.
A healthcare organization’s container image registry contains code, staging environments, PGP keys, access to websites and databases, and keys for the Stripe payment application. An attacker might have been able to access the organization’s environments and contaminate its codebase thanks to the exposure.
Last but not least, Aqua adds, “Because this was a healthcare firm, it might have been targeted by state-sponsored threat actors or financial threat actors that sell private indefinable information on the dark web and can result in identity theft of the healthcare organization’s clients.
The security company found that a software startup had given anonymous individuals access to their artifact registry and the build section, where they could examine admin access credentials and AWS credentials and access the organization’s source code management system.
In addition to securing repositories, implementing strong authentication and authorization, least privilege access controls, routinely rotating keys and credentials, and routinely auditing their registries for sensitive data, organizations should implement a responsible disclosure program to ensure that such issues can be easily reported.
Conclusion
The research firm Aqua Nautilus has found thousands of incorrectly set up artifact repositories and container image registries, putting enterprises at risk of significant software supply chain assaults. The security company discovered that several software artifacts and container images had been made publicly available in this way, endangering several Fortune 500 organizations and other big global corporations. To enable access to open-source software by international stakeholders, artifact management systems and container registries are frequently purposefully connected to the internet and made available to anonymous users. However, it isn’t usually the case. The report explained instances in which teams “accidentally publish sensitive information to public areas” and scenarios in which “restricted environments are accidentally shared with anonymous users.”
Software supply chain hazards can be learned more about here: Attacks on the software supply chain have risen by 742% in three years. The incorrect configurations that the Aqua Nautilus team discovered included exposing secrets to public registries, connecting registries to the internet by accident, utilizing default passwords, and giving users excessive rights. Additionally, it discovered instances of private container image registries that either had anonymous access enabled by default or had it configured incorrectly. According to the research, we discovered 57 registries with serious flaws, such as default admin passwords, and 15 of those registrations permitted admin access with the default password. It was discovered that more than 2100 artifact registries had upload rights, which an attacker might use to taint the registry with malicious code.
